0

I'm building a C# desktop app in Visual Studio's Windows Forms and am using the CefSharp library so I can use html, css, and front-end js for the UI rather than the default Windows Forms components. I've made a login page but need to connect to the database (MySQL).

Now, I realize that there are ways to do this without a library but for simplicity and for the fact that it's designed for this specific puprose, I'm using the MySql.Data package from NuGet. So, my connection string would look like this:

        using MySql.Data;

        ...

        MySqlConnectionStringBuilder conn_string = new MySqlConnectionStringBuilder();
        conn_string.Server = "xxx.xxx.xxx.xxx";
        conn_string.UserID = "root";
        conn_string.Password = "rootPassword";
        conn_string.Database = "accounts";

        using (MySqlConnection conn = new MySqlConnection(conn_string.ToString()))
        using (MySqlCommand cmd = conn.CreateCommand())
        {
            // Run queries here (this probably won't sanitize them uh oh)
        }

Now, this code works all fine and well.

My issue/question is that since I'm using a password in the source code, if someone were to decompile my application, then they would have the login credentials for my database, right?

Is that something I should even be worried about? Should I just run my final build through one of those pieces of software that claims to make your program harder to decompile?

I noticed that in Visual Studio, you can "Add a Data Source" - is there a way I can use that for a MySQL database rather than the default Azure/Oracle/MSS options?

Thanks so much for your time!

Icy
  • 13
  • 4
  • Some other information (let me know if you need more) - the framework I am using is .NET **4.7.2** and the IDE I am using is Visual Studio **2019**. Thanks. – Icy Apr 29 '20 at 18:07
  • have a look at this https://stackoverflow.com/questions/22435561/encrypting-credentials-in-a-wpf-application but unfortunatelly you have to specify the password at some point :/ encrypt it will be the best option. also if i dont remember wrongly (few years since the last time i used `Add data source` you still need to specify the connection string. on web/server apps is common to use a "vault" wich contains the secrets – TiGreX Apr 29 '20 at 18:14
  • You should first worry not to hardcode your connectionstring in the app but use a configuration file. If your server IP or your password change, do you want to build and deliver a new version of the app ? Then you can also have a look to https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files – Olivier Depriester Apr 29 '20 at 18:14
  • I still like the idea of a rest api, where a server side script only communicates with the database and and the rest goes over https,i wish i could se a functioning config file and how you will secure it, because your program has somewhere grab it – nbk Apr 29 '20 at 18:46
  • 1
    The only way to avoid this is by having your app be a webapp, where the config file is on the server. – Ian Kemp Apr 29 '20 at 21:07

0 Answers0